API-06 Unrestricted Access to Sensitive Business Flows

Skip to Primary Menu Skip to Utility Menu Skip to Main Content Skip to Footer

Get a Demo

Katie Paxton-Fear

While previously we have looked at very basic CRUD (create, read, update, delete) APIs, in reality APIs are not just creating, deleting, reading or updating single resources they are processing a lot of data including business logic. APIs will crunch input or send it downstream to other applications or processes. Unrestricted Access to Sensitive Business Flows is all about how you use an API and what it can do, and if there might be some unintended security outcome. These vulnerabilities therefore range in severity too, depending on how an API works, what it does and the business logic behind it.

Suzy’s Social is steadily growing and Suzy notices that people are starting to get creative with the platform’s limitations and posting unintended posts. She initially thought of Suzy’s Social as just a microblogging platform with posts limited by characters and the ability for anyone to repost, reply or reshare outside of the platform, with interested users following users content they really enjoyed to keep up to date. Now her users are posting creative pieces like news stories, book summaries, videos, and artwork. Realising the opportunity she has she decides to create a way for creators to get paid on Suzy’s Social sharing a portion of the ad revenue with these creators, depending on how many views they get, and how many ads those users see and click on she’ll give a portion of what they pay to advertise on the platform. She releases the feature and creators cheer as their small payments begin to land in their bank accounts. Adam, our attacker, sees an opportunity. He realises that the view count doesn’t have any spam protection on it, so the same viewer can refresh the page and another view is counted.

This initially seems fairly limiting, it only affects his statistics but when the new feature is realised he sees an opportunity. As he begins testing he realises refreshing the page isn’t enough to see more adverts on his content, it only increases the view count. But as he tests the API he realises there is an API endpoint that directly loads adverts, with a few hours of testing and a small python script, he can fake the view count, but importantly, use the API to load adverts for these fake views. He creates a single post that generates thousands in ad sharing the best post on the website! Suzy is initially impressed, and goes to check what kind of creative post produces this much revenue, and as she enters her administrative control panel, she realises the only content of that post is a single word “test”.

APIs aren’t the only applications that send data downstream to other services or functions, but it’s very important that like any other application we consider APIs to not trust user input and ensure we are using validation mechanisms before sending it to other services. The best way to prevent these flaws is a good application security programme, with clear processes to report, fix, deploy and test security flaws both in APIs and downstream applications. Identifying potential vulnerable or targeted functionality such as payment systems.

The best way to mitigate these vulnerabilities is to understand what your users are doing.